Translating Between IPv6 and IPv4

Problem

You want to configure a router to act as a gateway between IPv4 and IPv6 networks.

Solution

Cisco includes a protocol translation feature that allows you to interconnect IPv6 and IPv4 networks:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ipv6 access-list ALLOWED-NAT-DEVS
Router1(config-ipv6-acl)# permit ipv6 any any
Router1(config-ipv6-acl)#exit
Router1(config)#ipv6 nat prefix ::FFFF:0.0.0.0/96 v4-mapped ALLOWED-NAT-DEVS
Router1(config)#ipv6 nat v6v4 source AAAA:5::AA9 192.168.56.100
Router1(config)#interface FastEthernet0/0
Router1(config-if)#no ip address
Router1(config-if)#ipv6 address AAAA:5::2012/64
Router1(config-if)#ipv6 nat
Router1(config-if)#exit
Router1(config)#interface Serial0/0
Router1(config-if)#ip address 192.168.55.12 255.255.255.0
Router1(config-if)#ipv6 nat
Router1(config-if)#exit
Router1(config)#end
Router1#

 

Discussion

Starting in IOS Version 12.2(13)T, Cisco introduced the ability to use a router as a protocol gateway, translating between IPv6 and IPv4 worlds by means of Network Address Translation with Protocol Translation (NAT-PT). For more information on NAT in general, please refer to Chapter 21.

RFCs 4038 and 4291 include discussions of how to address IPv4 packets that originate in an IPv6 network. The current standard method is called the "IPv4-Mapped IPv6 Address," which works very simply. If an IPv6 device wants to send a packet to an IPv4 device whose address is A.B.C.D, then it uses the IPv6 destination address, ::FFFF:A.B.C.D. We have used this standard in this recipe:

Router1(config)#ipv6 access-list ALLOWED-NAT-DEVS
Router1(config-ipv6-acl)#permit ipv6 any any
Router1(config-ipv6-acl)#exit
Router1(config)#ipv6 nat prefix ::FFFF:0.0.0.0/96 v4-mapped ALLOWED-NAT-DEVS

The ipv6 nat prefix command here defines the IPv6 prefix that will be used when translating IPv4 addresses. By including the keyword v4-mapped, we tell the router to simply copy the 4 octets of the IPv4 address into the last 32 bits of the translated IPv6 address. The v4-mapped keyword was introduced in IOS Version 12.3(14)T to ease compliance with RFC 4038.

We have also specified an IPv6 access-list with this command that specifies that all IPv6 devices are allowed to use this rule. If you would prefer to use a more restrictive ACL here, you can easily do so. For example, we might have wanted to specify a single host:

Router1(config)#ipv6 access-list ALLOWED-NAT-DEVS
Router1(config-ipv6-acl)#permit ipv6 host AAAA:5::AA9 any

Or we might have wanted to specify a range of allowed devices:

Router1(config)#ipv6 access-list ALLOWED-NAT-DEVS
Router1(config-ipv6-acl)#permit ipv6 AAAA:5::/64 any

For more information on IPv6 access-lists and access-lists in general, please refer to Chapter 19.

The next NAT-PT command configures a static translation between an IPv6 device and the IPv4 address that refers to this device in the IPv4 network. Unfortunately, there is no way to uniquely encode a 128-bit IPv6 address in a 32-bit IPv4 address, so if we want full two-way connectivity between these networks, we must use a static rule. This is defined using the ipv6 nat v6v4 source command:

Router1(config)#ipv6 nat v6v4 source AAAA:5::AA9 192.168.56.100

In this case, we have decided to associate the IPv6 global unicast address, AAAA:5::AA9, with the IPv4 address, 192.168.56.100. Now all incoming IPv4 packets addressed to 192.168.56.100 will be translated into IPv6 packets and forwarded to AAAA:5::AA9. Similarly, all outgoing IPv6 packets with this IPv6 source address will be translated into IPv4 packets with the specified IPv4 source address.

The final step is to associate this NAT-PT rule with router interfaces:

Router1(config)#interface FastEthernet0/0
Router1(config-if)#no ip address
Router1(config-if)#ipv6 address AAAA:5::2012/64
Router1(config-if)#ipv6 nat
Router1(config-if)#exit
Router1(config)#interface Serial0/0
Router1(config-if)#ip address 192.168.55.12 255.255.255.0
Router1(config-if)#ipv6 nat
Router1(config-if)#exit

In this example, FastEthernet0/0 connects to the IPv6 network, while Serial0/0 connects to the IPv4 network. Both of these interfaces are associated with the NAT-PT rule using the ipv6 nat command. Note that there is no "inside" or "outside" NAT interface here as we saw when we looked at NAT for IPv4 in Chapter 21.

You can then look at the NAT-PT translation table with the command show ipv6 nat translations:

Router1#show ipv6 nat translations
Prot IPv4 source IPv6 source
 IPv4 destination IPv6 destination
--- --- ---
 192.168.55.3 ::FFFF:192.168.55.3

tcp 192.168.56.100,80 AAAA:5::AA9,80
 192.168.55.3,15609 ::FFFF:192.168.55.3,15609

tcp 192.168.56.100,60215 AAAA:5::AA9,60215
 192.168.55.3,23 ::FFFF:192.168.55.3,23

--- 192.168.56.100 AAAA:5::AA9
 192.168.55.3 ::FFFF:192.168.55.3

--- 192.168.56.100 AAAA:5::AA9
 --- ---

Router1#

This output shows several mappings between the same addresses. Focusing on the two TCP connections, we see that the external device, 192.168.55.3, made a connection to TCP port 80 (HTTP) on destination device 192.168.56.100, and with an TCP arbitrary source port of 15609. This was translated to an IPv6 destination address of AAAA:5::AA9 on TCP port 80, and a source address of ::FFFF:192.168.55.3, with a TCP source port of 15609 once again.

The second TCP connection started on the IPv6 side. The IPv6 device AAAA:5::AA9 made a TCP connection on port 23 (Telnet) to the IPv6 destination address, ::FFFF:192.168.55.3, using the arbitrary TCP source port of 60215. NAT-PT rewrote this IPv6 packet as an IPv4 packet with a source address of 192.168.56.100 and source port of 60215 with a destination address of 192.168.55.3 on port 23.

In this example, we wanted full two-way connectivity, so we were forced to use a static mapping for the IPv6 side of the network. However, if we know that all connections will originate from the IPv6 network, then we can use Port Address Translation (PAT), and map all internal IPv6 addresses to a single external IPv4 address, such as the IP address on the IPv4 side of the router:

Router1(config)#ipv6 nat v6v4 source list ALLOWED-NAT-DEVS interface Serial0/0 overload

The overload keyword in this command works exactly the same way as in NAT for IPv4, assigning multiple internal addresses to a single external address.

See Also

Chapter 19; Chapter 21; RFC 4038; RFC 4291





Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net